Brexit: Data protection and cybersecurity law implications

On 29 March 2017, the UK Government served formal notice under Article 50 of The Treaty on European Union to terminate the UK's membership of the EU (following the June 2016 UK referendum on EU membership). Based on Article 50, the EU Treaties shall cease to apply to the UK and the UK exit will take effect in March 2019 (subject to the unlikely possibility of the withdrawal agreement being concluded sooner and unless all Member States agree to extend the period). Negotiation of a new trade agreement with the EU could take several years beyond 2019 although the Prime Minister has declared the objective of achieving such an agreement within the two-year period.

Even though the UK has served notice to leave the EU, UK organisations are likely to face a data protection and cybersecurity law landscape heavily influenced by EU laws for the foreseeable future.

The cornerstone of the UK’s current regulatory regime (the Data Protection Act (DPA)), is based on laws written in 1995, when Google was 3 years from incorporation, Mark Zuckerberg was 11 and cloud computing was in its infancy as compared to today. It is long overdue a significant refresh.

A date for that refresh is already diarised for Friday 25th May 2018 – when the General Data Protection Regulation (GDPR) will come into force across the European Union. The UK will also very likely shortly be committed to implementing the so-called Cyber Directive – the Network & Information Security (NIS) Directive – along with other EU Member States, most likely by Spring 2018. A new directive for the police and criminal justice sector has also been finalised and must be passed into EU Member State law by 6th May 2018.

So what are the data protection and cybersecurity law consequences for the UK, now that it has voted to leave the EU?

Interesting timing

The first point to note is that the GDPR is due to apply before the likely exit date in March 2019. The UK Government has indicated that it will freeze into UK law the EU legislation in force at the point of the UK's exit to ensure continuity, but may choose to amend such law in due course. That is significant because it means that the UK will almost certainly experience life under the GDPR given the rules which will regulate its exit from the EU.

The GDPR's 'long arm' approach to jurisdiction

The second point to note is that even if the overlap between the UK's EU membership and the application of the GDPR in the UK were to be short lived, any UK business which trades in the EU will have to comply with the GDPR despite any Brexit taking effect.

That's because the GDPR's many obligations will apply to organisations located anywhere in the world which process EU citizen’s personal data in connection with their offer of goods or services, or their "monitoring" activities (defined to pick up many online behavioural marketing activities). Also, any UK business which has a group company or staff operating within the EU will have to comply with the GDPR's provisions. Likewise the amendments to the e-Privacy Directive when they are finalised in due course.

The UK's post-Brexit options and 'adequacy'

In light of the Brexit vote and subsequent notice to leave the EU, the most obvious options for the UK for interacting and trading with the EU are particularly interesting when looked at through a data protection law lens:

The European Free Trade Association (EFTA) model: often referred to as the Norwegian model, if it takes this route, the UK will remain a party to the European Economic Area (EEA) Agreement. It will therefore benefit from free trade arrangements and be included in the EU single market but will have to commit to comply with certain fundamental EU rules and restrictions. For Norway, Iceland and Lichtenstein (the existing non-EU members of the EEA) this currently means that they have each implemented the Data Protection Directive and the e-Privacy Directive into their respective local laws. It seems unlikely that the UK will be able to avoid accepting the GDPR as is if this option is adopted.

The Swiss model: Switzerland is not a member of the EEA, but is a member of the EFTA. It accesses the EU single market via a regularly updated bilateral agreement. Switzerland has its own data protection laws which look and feel very similar to the laws of an EU Member State which has implemented the Data Protection Directive. Indeed, Switzerland's laws have been recognised as "adequate" by the European Commission (EC) – i.e. adequately protective of the rights of EU citizens thereby enabling transfers of personal data from EU data controllers to Swiss based importers to legitimately take place. It remains to be seen whether, when and how Switzerland will update its current data protection laws to mirror the GDPR to ensure that its 'adequacy' decision is not revoked by the EC after the GDPR comes into force, although the Swiss government has already indicated its intention to seek to retain its adequacy status after May 2018. The U.K. would face the same decision in relation to GDPR adoption were it to adopt a Swiss style relationship with the EU.

The 'go it alone' model: the UK might now seek to strike deals with the EU independently or via collective organisations, such as the WTO (i.e. following the approach currently adopted by countries such as Canada and the USA.) If it does so then, on the face of it (and as with the Swiss model), it will have free rein to choose the form of data protection laws which it introduces to update the DPA. However, recent history tells us that, when it comes to the question of data transfers, EU regulators and courts take an extremely dim view of countries which do not adopt EU-strength data protection laws. The current stand-off with the USA in respect of the now invalid Safe Harbor data sharing arrangement is a case in point. The UK economy, in particular its financial services sector, relies on an ability for data to be freely transferred to and from the UK.

If the UK were to decide to not upgrade its data protection laws to a GDPR level standard, the question will inevitably arise soon after the GDPR's 25th May 2018 introduction whether the UK laws offer data protection 'adequacy'. The answer will almost certainly be that they do not. That will put the UK in the position of having to adopt either EU strength data protection laws (to join countries such as Canada as benefiting from an adequacy decision), or an EC approved data transfer mechanism (as the USA is currently seeking to do via the EU-US Privacy Shield) if it wants to avoid inconveniencing UK businesses, by forcing them to adopt other adequacy mechanisms, such as the EC's standard contractual clauses, every time they receive data from the EU. Historic criticism of the UK's security services in the context of the revelations made by Edward Snowden will very likely be raised by the EC as well as EU based data protection regulators in the context of any future discussion regarding UK 'adequacy'.

Looking at each of these options it seems likely that either the GDPR or a law that looks very like it will be required in the UK after Brexit takes effect.

The impact of the Brexit vote upon the ICO

Those familiar with EU data protection regulation will be aware that the Article 29 Working Party (A29WP), whose members include representatives from each EU Member State's regulatory authority, regularly issue important opinion papers on key data protection issues.

In the run up to application of the GDPR commencing on 25th May 2018, the A29WP will publish hugely significant opinions and guidance which will, to a large extent, shape interpretation of the GDPR. The GDPR will then replace the A29WP with the 'European Data Protection Board' (EDPB), which is set to play a very significant role in data protection compliance as a body central to the formation of guidance, approval of codes of practice and certification schemes and, crucially, as the appellant board for GDPR disputes. Like the A29WP, the EDPB will be comprised of regulators from each EU Member State (among others).

In relation to both the A29WP opinions and EDPB activities, the ICO's voice would appear to be increasingly redundant in the aftermath of the Brexit vote and triggering of Article 50. In relation to the EDPB, unless an exception can be negotiated (and is that really feasible?) it seems that the often comparatively liberal voice of the ICO will lose its seat at the top regulatory table once the UK exits the EU.

The large number of UK businesses which are likely to fall under the jurisdiction of the GDPR could find themselves in the position of being subject to guidance and/or being judged by a body which does not include their own national regulatory body.

It will be interesting to see the extent to which the ICO's voice is valued within the A29WP discussions on significant data protection policy issues between now and Brexit taking effect, whether those issues relate to the GDPR or to other important topics, such as the future of the EU-US Privacy Shield.

A word about the NIS Directive

Once Brexit takes effect, the UK will no longer be obliged to implement EU Directives into its national law. This may include the NIS Directive, although on its current legislative timetable the NIS Directive seems likely to be required to be implemented in to Member State law before any Brexit takes effect – perhaps in the UK as the Cybersecurity Act 2017 or 2018.

The sense in a decision to not adopt the NIS Directive or a near clone of it into UK legislation would be questionable. It is hard to identify much of the directive that doesn’t make plain common sense. Clearly its provisions that address a pan-European approach to minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements will need to be reconsidered, but the obvious benefits of commonality of approach to the global threat of cybersecurity will be a spur to find ways to voluntarily lock into the EU adopted NIS Directive regime.

Although the UK Government has now served notice to leave the EU, the UK will no doubt wish to continue to trade with the EU, therefore closely comparable data protection and cybersecurity laws in many areas will be necessary to avoid barriers to trade.

We intend to update our guidance in this area as the data protection and cybersecurity law implications become clearer.